DDoS, or Distributed Denial of Service, creates a risk for businesses that conduct any transactions using public Internet services. The severity of the risk will, of course, depend on how much that business relies on its online systems for revenue. If the risk is sufficiently large, then budget is usually set aside for mitigation. But until recently many companies saw DDoS as a nuisance, and not a threat to data. However, things are changing. DDoS attacks are no longer simply a risk to the availability of an IT system or service. DDoS attacks are being used in concert with attempts to penetrate networks and/or steal data and this is changing the way that businesses have to calculate risk of loss with respect to DDoS attacks – as well as the way that counter-measures need to be deployed.
Unfortunately, hackers are increasingly turning to distributed denial-of-service attacks to take companies offline, steal their sensitive data, or distract them from other more sinister cyberattacks or malware invasions. According to the Worldwide Infrastructure Report (2018, Vol. 13), 2017 was characterised by increased complexity in the nature of DDoS attacks experienced. Modern botnets and DDoS for hire services now commonly combine multiple attack vectors such as volumetric packet floods, state exhaustion, and application-layer attacks in a single campaign.
In Q3 2017, organizations experienced an average of 237 DDoS attack attempts per month—or eight per day. These numbers represent a 35% increase in monthly attack attempts from Q2, and a staggering 91% increase from Q1. Why the massive rise? Researchers believe that the reason is twofold: The growing availability in DDoS-for-hire services, and the implementation of many unsecured Internet of Things (IoT) devices.
DDoS-for-hire services have lowered the barriers of entry for criminals to carry out these attacks, in terms of both technical ability and cost. Now, almost anyone can systematically attack and attempt to take down a company for less than $100.
And in terms of IoT risks, recently “discovered” botnets such as the Reaper are now targeting known vulnerabilities in IoT devices and hijacking them, including Internet-connected webcams, security cameras, and digital video recorders. Each time a device is infected, the device spreads the malware to other vulnerable devices, expanding its reach.
DDoS attacks are a clear and present threat to businesses of all sizes and in all sectors. Gone are the days when DDoS attacks were considered just an Information Security or IT issue. We take a look back at some recent DDoS attacks that have troubled some well-known organisations, affecting not only their IT systems but their business reputation.
DDoS Attack Timeline of Events
- May 2011: Sony sent a letter to the US Congress, explaining that they did not immediately detect the theft of up to 101 million customer records because it was distracted by DDoS attacks.
- August 2015: On the night of Tuesday 11 August, parenting website, Mumsnet came under attack. Their servers were bombarded with requests, which required their Internet service provider to massively increase server capacity to cope. A Twitter account, @DadSecurity, claimed responsibility.
- October 2015: UK Telecoms company TalkTalk suffered an attack that simultaneously degraded the performance of their services (through DDoS), and involved the theft of account information for hundreds of thousands of customers. TalkTalk’s share price dropped from 289.4 (October 20th 2015) to 225.3 (October 26th 2015) in the aftermath of the attack.
- June 28, 2016: PCWorld reports that “25,000 digital video recorders and CCTV cameras were compromised and used to launch distributed denial-of-service (DDoS) attacks, flooded targets with about 50,000 HTTP requests per second.”2
- September 20, 2016: Around 8:00 pm, KrebsOnSecurity.com becomes the target of a record-breaking 620Gbps3 volumetric DDoS attack from a botnet designed to take the site offline.
- September 21, 2016: The same type of botnet is used in a 1Tbps attack targeting the French web host OVH.4 A few days later, the IoT botnet source code goes public, spawning what would become the “marquee” attack of the year.
- October 21, 2016: Dyn, a US-based DNS provider that many Fortune 500 companies rely on, is attacked by the same botnet in what is publicly known as a “water torture” attack. The attack renders many services unreachable and causes massive connectivity issues—mostly along the East Coast of the United States.
- April 5, 2017: A new type of IoT botnet is discovered, called BrickerBot, which over a four-day period, launches thousands of PDoS (permanent denial of service) attempts from various locations around the world. BrickerBot uses Telnet brute force – the same exploit leveraged by Mirai – to breach a victim’s devices. To block the attack, the key factor is disabling Telnet and changing the device’s factory-set passwords.
- August 24, 2017: A DDoS attack deluged web hosting provider and domain name registrar DreamHost, knocking its systems –particularly its DNS infrastructure – offline.
- September 30, 2017: Someone decided to target the UK National Lottery with a DDoS campaign. The attack knocked the Lottery’s website and its mobile app offline, which prevented many UK citizens from playing the Lottery.
- November 2, 2017: Electroneum cryptocurrency start-up had crowdfunded $40 million worth of Bitcoin and Ether following an initial coin offering (ICO). Just before it launched its mobile mining app on November 2, the company’s website suffered a DDoS attack. The campaign led Electroneum to lock investors out of their accounts while it worked to restore its network access. In the meantime, the Financial Conduct Authority took a moment to remind investors that ICOs offer no protection, which means investors should “be prepared to lose [their] entire stake.”
In all cases, the companies involved had invested time, money and effort in IT security, but when it came to the actual attack, that security failed, the investment was wasted and they suffered financial and reputational losses anyway.
DDoS attacks are increasingly being considered as a business continuity risk, and rightly so. As we saw with TalkTalk, their share price dropped after experiencing a DDoS Attack, The National Lottery’s site was knocked offline, and there is no doubt they saw a loss in revenue as a result. Routine testing is something every organisation who is taking the DDoS threat seriously should be doing, not only does it highlight vulnerabilities and weaknesses in systems and processes. DDoS Testing also helps familiarise staff, tune detection, and improve response times and efficiency in the face of an attack.
activereach have published a 3 step whitepaper series ‘A Guide to DDoS Mitigation and Testing’, starting with ‘An Introduction to DDoS‘ then moving on to ‘Testing Distributed Denial of Service Mitigation’. If you are interested in hearing more about activereach and our DDoS Testing and DDoS Mitigation solutions then please get in touch.
1 Corero DDoS Trends Report 2017
2 http://www.pcworld.com/article/3089346/security/thousands-of-hacked-cctv-devices-used-in-ddos-attacks.html
3 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
4 https://twitter.com/olesovhcom/status/779297257199964160